Search squid archive

Re: Tproxy4+squid: ebtables wiki

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables 2.0.9

Marko Kotar wrote:
Just curious which kernel version are u using?



--- On Thu, 10/29/09, Dan <dan@xxxxxxxx> wrote:

From: Dan <dan@xxxxxxxx>
Subject: Re:  Tproxy4+squid: ebtables wiki
To: "Marko Kotar" <kotarmarko@xxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxx
Date: Thursday, October 29, 2009, 5:24 PM
Those are the same ebtable and
iptable rules that I am using except that I use DROP. If it is working for you then that is great. :) As for why
it works that way I don't know.  When I use ACCEPT the
traffic is bridged through and not redirected to squid.

Dan

Marko Kotar wrote:
Ok
My ebtable rules are(without -i option):
ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target ACCEPT
  ebtables -t broute -A BROUTING -p ipv4
--ip-proto tcp --ip-sport 80 -j redirect --redirect-target
ACCEPT
This might be the different:
Bridge is up and it is having an ip address. Ethernet
interfaces are up but not having any ip address asigned.
ifconfig eth0 up promisc
...
bridge interface is configured with dhclient:
dhclient3 br0

This rules are for the routing;
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
And:
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables are:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j
DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
squid configuration is default, except
acl allow all
and port is set to the same address as in iptables,
and having TPROXY set.
I am using: 2.6.28-16-server x86_64 ubuntu, default or
compiled ebtables v2.0.9-1 (June 2009), compiled iptables
v1.4.5,
Squid Cache: Version 3.1.0.14
configure options:  '--enable-linux-netfilter'
--with-squid=/home/marko/src/squid-3.1.0.14
--enable-ltdl-convenience
configured ony with additional linux-netfilter flag

I've used various network configurations:
-virtual computer using VmBox with virtual interface
in the linux bridge on guest pc.
-computer with two interfaces.
-double bridged vmbox: two virtual machines: first
having 2 virtual interfaces. birdged and having sqiud.
second virtual pc being client with one virtual interface.
one interface of first was bridged on guest computer to
external interface, other two were bridged together.
Drop didn't work in any of them, accept was tested
only in first.

  i think thats all the settings i have.


--- On Wed, 10/28/09, Dan <dan@xxxxxxxx>
wrote:
From: Dan <dan@xxxxxxxx>
Subject: Re:  Tproxy4+squid: ebtables
wiki
To: "Marko Kotar" <kotarmarko@xxxxxxxxx>,
squid-users@xxxxxxxxxxxxxxx
Date: Wednesday, October 28, 2009, 9:21 PM
Marko Kotar wrote:
Thanks.

"redirect

The redirect target will change the MAC target
address
to that of the bridge device the frame arrived on.
This
target can only be used in the BROUTING chain of
the broute
table and the PREROUTING chain of the nat table.
In the
BROUTING chain, the MAC address of the bridge port
is used
as destination address, in the PREROUTING chain,
the MAC
address of the bridge is used.
--redirect-target target

      Specifies the standard
target.
After doing the MAC redirect, the rule still has
to give a
standard target so ebtables knows what to do. The
default
target is ACCEPT. Making it CONTINUE could let you
use
multiple target extensions on the same frame.
Making it DROP
in the BROUTING chain will let the frames be
routed. RETURN
is also allowed. Note that using RETURN in a base
chain is
not allowed."
I think: If accept is used it goes in the
tproxy
because dst mac is changed to bridge address. (So
it goes up
as it would if client had  gateway configured
to that
machine?) But is also should drop work?
I decided to test it. I changed my rule to ACCEPT
and
traffic passes but not through the proxy.
My
access.log shows no new traffic after changing
the
rule.  DROP is what passes the frame off to
iptables.  Could you show all your
rules?  If
squid is receiving the traffic the only thing I
can think of
is that maybe there is another rule further down
the chain
that cause the frame to be routed.

I have tryed drop but it didn't work. I didn't
get
through any traffic.
If i didn't use any of ebtable rules it went
through.
But accept works.  --- On Wed, 10/28/09,
Dan
<dan@xxxxxxxx>
wrote:
From: Dan <dan@xxxxxxxx>
Subject: Re:  Tproxy4+squid:
ebtables
wiki
To: "Marko Kotar" <kotarmarko@xxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxx
Date: Wednesday, October 28, 2009, 1:03
AM
Marko Kotar wrote:
Hi,
You have incorrect commands in squid
wiki for
tproxy4
ebtables:
I figure out that it is not
"--redirect-target
DROP"
but it is  "--redirect-target ACCEPT"
.
With ebtables using broute ACCEPT and DROP
have
special
meanings.  DROP means route the frame
and
ACCEPT means bridge the frame.
http://ebtables.sourceforge.net/misc/ebtables-man.html

There is a "-j REDIRECT" which should
be in
lowercase
letters "-j redirect".
Thanks for guide.

Marko



Dan






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux